In message <4E5A2C0A6997D811B58800A0C9C551501A3109@ashland01msx>, "Gates, Scott" <[log in to unmask]> writes >Admit it, you did. <GRIN> > >I've gotten a few spams from list serv members, including one with my name >as sender. I think one of us out there has a spamming virus that's walking >though their inbox and harvesting addresses. > >Spambayes caught both of them. It's a *FREE* spam filter that attaches to >Micro$oft LOOK-OUT! And works PRETTY well once you get it trained up. > >You all can find it at http://spambayes.sourceforge.net/ The same thing that happened to Andreas just happened to me - a posting here was made with my identity, but forged, and not by me. Looking at the Andreas forged posting headers, the first (lowest) Received: header is: Received: from raven.utc.edu (68.113.140.156) by raven.utc.edu (LSMTP for Windows NT v1.1b) with SMTP id <[log in to unmask]>; Thu, 29 Apr 2004 21:10:40 -0400 which looks like it came from raven.utc.edu, though that's probably forged too: the less-easily-forgeable IP address 68.113.140.156 resolves to: Charter Communications CHARTER-NET-6BLK (NET-68-112-0-0-1) 68.112.0.0 - 68.119.255.255 Charter Communications CHRLSTN-WV-68-113-128 (NET-68-113-128-0-1) 68.113.128.0 - 68.113.143.255 whereas raven has its own IP space in reality. We then start to worry though (which is no doubt the intention): was that *really* Scott Gates who replied here, or the spammer [1] again? But comparing headers with 'known good' messages from Scott seems to reveal that it is indeed he :-) [1] I don't know about 'the spammer'. My forgery came from a UK address in NTL Blueyonder's address space, AFAICT; quite different from Andreas' forgery. That smacks of zombified [2] PCs being used to launch these attacks. But why? I fear we shall soon find out.... [2] Modern-day viruses and Trojans no longer simply destroy their hosts, like the olden-day ones did. Instead, they infect a range of PCs, all of which 'phone home' to say they've been zombified, and then await instructions on what mischief to wreak - a concerted DDOS (Distributed Denial of Service) attack, perhaps, where thousands of PCs simultaneously bombard a website with messages. Or maybe just a 'who the hell said that'? attack on a mailing list, like this. Seems to be mail, though; an HP3000-L thing, rather than a comp.sys.hp.mpe thing. And it knows it has to pretend to be a subscriber to get through, though that's hardly unusual on a mailing list... Further oddities are awaited with trepidation; is Jeff going to need to starting checking that our fides are really bona before long? -- Roy Brown 'Have nothing in your houses that you do not know to be Kelmscott Ltd useful, or believe to be beautiful' William Morris * To join/leave the list, search archives, change list settings, * * etc., please visit http://raven.utc.edu/archives/hp3000-l.html *